Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: screen 4.0.3 local Authentication Bypass

From: "Lolek of TK53" <lolek1337 () googlemail com>
Date: Mon, 4 Jun 2007 19:00:38 +0200
Hi,
On 6/4/07, rembrandt () jpberlin de <rembrandt () jpberlin de> wrote:

Please take a look at the Attachement dear List moderator. :)

...

It has been tested on OpenBSD 4.1 + screen 4.0.3 on x86.

How to reproduce:

Lock screen using ctrl+x
Choose a Password
Confirm the Password

Screen asks for a Password to unlock the screen.
Just press ctrl+c and it displays "Getpass error".
2 seconds later the screen is unlocked and you`ve access.


This is not reproducable with screen 4.0.3 on a Linux system. Also
with looking at the code of screen I can see no vulnerability in this
context. Can you show some code that proves your claim?
If not I suggest to get a better operating system distributor ;)
Cheers
Lolek of TK53
P.S. It's ctrl-a x not ctrl-x

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: